Attribute Based Encryption for Secure Data Access in Cloud

theRepository at St. Cloud State

Culminating Projects in Information Assurance Department of Information Systems

12-2017

Attribute Based Encryption for Secure Data Access

in Cloud

Anirudh Mittal

St. Cloud State University, anirudhm2803@gmail.com

Follow this and additional works at:https://repository.stcloudstate.edu/msia_etds

This Starred Paper is brought to you for free and open access by the Department of Information Systems at theRepository at St. Cloud State. It has been accepted for inclusion in Culminating Projects in Information Assurance by an authorized administrator of theRepository at St. Cloud State. For more information, please contactrswexelbaum@stcloudstate.edu.

Recommended Citation

Mittal, Anirudh, "Attribute Based Encryption for Secure Data Access in Cloud" (2017).Culminating Projects in Information Assurance. 39.

Attribute Based Encryption for Secure Data Access in Cloud

by

Anirudh Mittal

A Starred Paper

Submitted to the Graduate Faculty of St. Cloud State University

in Partial Fulfillment of the Requirements for the Degree, of

Master of Science in Information Assurance

December, 2017

Starred Paper Committee: Susantha Herath, Chairperson

Dennis Guster Sneh Kalia Abdullah Abu Hussein

Abstract

Cloud computing is a progressive computing worldview, which empowers adaptable, on-request, and ease use of Information Technology assets. However, the information transmitted to some cloud servers, and various protection concerns are arising out of it. Different plans given the property-based encryption have been proposed to secure the Cloud Storage. In any case, most work spotlights on the information substance security and the get to control, while less

consideration towards the benefit control and the character protection. In this paper, a semi-anonymous benefit control conspires AnonyControl to address the information protection, as well as the client character security in existing access control plans. AnonyControl decentralizes the central authority to restrain the character spillage and accordingly accomplishes

semi-anonymity. Furthermore, it likewise sums up the document get to control to the benefit control, by which advantages of all operations on the cloud information managed in a fine-grained way. Along these lines, display the AnonyControl-F, which ultimately keeps the character spillage and accomplish the full secrecy. Our security assessment demonstrates that both AnonyControl and AnonyControl-F are secure under the decisional bilinear Diffie-Hellman presumption, and our execution assessment shows the attainability of our plans.

Acknowledgement

The successful completion of this paper could not have been possible without the guidance of my beloved professors, Dr. Dennis Guster and Dr. Susantha Herath. I also would like to thank Professor Sneh Kalia for being part of the committee and finding the time to read my thesis and special thanks to Dr. Abdullah Abu Hussein for his time to hear out the paper presentation.

I also would like to thank my mother Anuradha Mittal, my father, Lakshmi Narayan Mittal, and my friends who provided me immense support the entire way.

Table of Contents Page List of Figures ...10 Chapter I. Introduction ...12 Problem Statement ...13

Nature and Significance of the Problem ...14

Objective of the Project ...14

Limitation of the Project ...15

Definition of Terms...15

Summary ...16

II. Background and Review of Literature ...17

Introduction ...17

Background Related to the Problem ...17

Literature Related to the Problem ...17

Literature Related to the Methodology ...21

Advantages and Disadvantages of Cloud Storages ...23

Applications of a Cloud-Based Computing System ...29

Concerns Regarding Cloud Computing ...29

Summary ...37

III. Data Breach in Cloud ...38

Chapter Page

Types of Attacks ...38

Motives of an Attacker...39

Guidelines for Privacy and Security in Cloud ...40

Secure Data Sharing in Cloud and its Importance ...43

Elements of Data Sharing Cloud...44

Key Management in the Cloud ...45

Types of Cloud ...47

Service Models for Cloud Computing ...48

Summary ...50

IV. Technology Overview ...52

Introduction ...52

Object-Oriented Programming Concepts ...52

Java Inheritance ...55 Polymorphism in Java ...58 Logging Framework...61 Pipeline Framework ...64 V. Methodology ...67 Introduction ...67 System Design ...67

Data Flow Diagram ...67

Chapter Page

Sequence Diagram ...68

Activity Diagram ...69

Data Flow Diagram ...69

Data Consumer...69

Sequence Diagram ...70

Use Case Diagram...71

Activity Diagram ...71

Cloud Admin ...72

Use Case Diagram...72

Sequence Diagram ...73

Activity Diagram ...73

Summary ...74

VI. Feasibility Study and Implementation ...75

Introduction ...75 Feasibility Study ...75 Economic Feasibility ...75 Technical Feasibility ...76 Operational Feasibility ...76 Schedule Feasibility ...77

Architecture Diagram and Main Modules ...77

Chapter Page

Security Module ...78

Attribute-Based Encryption Module ...78

Multi-Authority Module ...78

Algorithm ...79

Anony Control and Anony Control-F ...79

Summary ...82

VII. System Configurations ...83

Software Requirements ...83

Hardware Requirements...83

VIII. Pages Designed ...84

Introduction ...84

Home Page ...84

Registration Page ...84

Login Page ...85

Request Data Ownership...87

Providing Ownership ...87

Data Owner Operations...88

Data Owner Uploads File ...88

Data Consumer...90

Attribute Authority Login ...91

Chapter Page

Summary ...93

IX. System Testing ...94

Introduction ...94 Types of Tests ...94 Unit Testing ...94 Integration Testing ...94 Functional Testing ...95 System Testing ...95

White Box Testing ...96

Black Box Testing...96

Unit Testing ...96

Test Strategy and Approach ...96

Test Objectives...96

Features to be Tested ...96

Integration Testing ...97

Acceptance Testing ...97

Summary ...97

X. Results, Conclusion, and Future Work ...98

Introduction ...98

Results ...98

Chapter Page Future Work ...99 References ...101 Appendix ...105

List of Figures

Figure Page

1. No Flow ...68

2. Data Encrypted Flow ...68

3. Sequence Flow ...69

4. Authentication Flow...69

5. Data Consumption Flow ...70

6. Verification Flow ...70 7. Yes Flow ...71 8. Decryption Flow ...71 9. Cloud Admin ...72 10. Yes Flow ...72 11. Authentication Flow...73 12. Login Flow ...73 13. Feasibility Study ...75 14. System Architecture ...77 15. Home Page ...84 16. Registration Page ...85

17. Success Full Registration ...85

18. Admin Login ...86

Figure Page

20. Data Owner Login...87

21. Request Data Ownership...87

22. Providing Ownership ...88

23. Data Owner Operations...88

24. File Upload...89

25. File Details ...89

26. Data Consumer Accessing Data from Cloud ...90

27. Attribute Authority Login ...91

28. Data Available in Application ...92

29. Cloud Server Login ...92

Chapter I: Introduction

CLOUD Computing set up is a definite, advantageous, on request, arrange access to a mutual pool of configurable computing assets which could be quickly arranged and discharged with essential endeavors for administration or specialist organization association. Its primary target is to convey quick, secure, helpful information stockpiling and net computing,

management, with all computing assets, imagine as administrations and conveyed over the Internet. Various computing ideas and advances could be used along with Cloud Computing to fulfill the computing needs of clients, it gives reasonable business applications online through web programs, while their information and programming are kept away on the servers.

It is an approach that could be used to boost the extension or venture up capacities vigorously without putting resources into the new system, sustenance modern workforce or permitting new programming. It gives the enormous ability to information and quick computing to clients over the web. Information security is one of the parts of the cloud which helps clients from utilizing cloud administrations. There is dread between the information proprietor

particularly in strong associations that their potential information abuses by the cloud supplier without their insight. Data security of the clients is possible by utilizing the idea of virtual private systems, firewalls, and by upholding other security arrangements inside its boundaries.

Security is an essential module in any Cloud Computing Environment since it is crucial to guarantee that lone approved could be authorized, and ensured conduct acknowledged. Any safe and protection contradiction is fundamental and can create pivotal outcomes. When the strict directions and arrangements are against safety in the cloud, increasingly workforce will feel spare to receive computing. A customer might be the person or a significant association;

however, all are having the same concern, i.e., data security, so data security is the sad outcome. Data security at various levels is the crucial matter of this innovation, grouped into two

classifications: Security at the External level and Security at Internal Level. Security at External level says that data are insecure contradicted to an outsider, cloud service provider or system interloper. Security at Internal level means that data is made available to approved clients or representative of an association.

A secure server gives an ensured establishment to facilitating Web applications, and Web server setup assumes an essential part of Web application's security. The Gravely designed server can prompt for unapproved get. An overlooked share can give an advantageous indirect access, while an unused port is an assailant's front entryway. Ignored client records can allow an aggressor to sneak past resistances unnoticed. Understanding dangers of the Web server and methods to recognize proper countermeasures grants to foresee many assaults and frustrate the steadily developing quantities of assailants. This system gives bi-directional encryption of correspondences between a customer and server, which ensures against listening in and messing with and additionally manufacturing the communication. Progressively, this provides a sensible certification that one speaks with unequivocally.

Problem Statement

Various layouts based on attribute based-encryption are proposed to secure the cloud storage, but most of the target on the data content privacy and the access control, while less attention given to the privilege control and the identity privacy. Data sharing in the cloud is very feeble to cyber-attacks since data stored on cloud servers, and multiple users access data from

unknown servers, resulting in Data security and privacy as critical issues for remote data storage. This uncertainty of Data Privacy and User Integrity is the foundation of the study.

Nature and Significance of the Problem

A secure user enforced data access control mechanism is available to the cloud users to give them the flexibility to outsource sensitive data for cloud storage. With the need of sharing confidential corporate data on cloud servers, it is imperative to adopt an efficient encryption system with a fine-grained access control to encrypt outsourced data. In this paper, the proposed solution guarantees a secured data exchange between the client and target server which cannot be accessed by an unauthenticated user. Secure Server Plus application has twofold login security. That is, after signing into the application client gets a mystery key on his enrolled Gmail id. The key entered on the fly up box showed in the wake of signing into SSP Application. This

application has two functions, Encryption, and Decryption. Encryption is the usefulness in which the record sent over Gmail and divided into four chunks of in byte arrangement and afterward encoded utilizing various encryption calculations. After Encryption, documents delivered to the beneficiary through Gmail. At the recipient end, At the recipient end, the user downloads the documents and uses SSP Application data in the records is scrambled and consolidated. Objective of the Project

This project aims to set up a secure layer for storing, retrieving and transfer of data across multiple users with Data Privacy, Content Privacy and User Identity intact. Proposed secrecy Control to let cloud servers to control clients' get to help without knowing their character data. The advocated plans can secure client's protection against every single expert. Halfway data revealed in secrecy Control and no evidence showed in secrecy Control-F. The proposed plans

are tolerant against specialist bargain, and trading off up to (N −2) experts do not cut the entire system down. Given formal investigation of security and execution to show attainability of the plan obscurity Control and obscurity Control-F. Initially, actualized the whole toolbox of a multi-specialist based encryption conspire secrecy Control and namelessness Control-F. Limitation of the Project

The research has some limitation as follows: Difficult to user revocation. Whenever an owner wants to change the access right of the user, it is not possible to do efficiently. Decryption keys only support user attributes which are organized logically as a single set, so users can just use all possible combinations of characteristics in a unique set issued in their keys to satisfy the policies.

Definition of Terms

ABE. Attribute-Based Encryption: It is a Public Key encryption. Here the secret key of the user and ciphertext depend upon the attributes, i.e., on the address of the user or the kind of subscription attributes unique to the user. The two flavors of ABE are(KP-ABE)–Key Policy ABE: Here the Cipher Text along with the set of attributes and private key along with monotonic access structure like a tree, which describes the user’s identity (e.g., IIT And Ph.D. or Masters). A user can decrypt the ciphertext if and only if the access tree in his private key satisfies the attributes of the ciphertext. The main drawback of KP-ABE is every time the user encrypts data the system must reissue the private keys to gain access to the file. (CP-ABE)–Ciphertext ABE: Here Cipher Text created with an access structure, which specifies the encryption policy and private keys generated according to user’s attributes. A user can decrypt the ciphertext if and

only if attributes in the user’s private key satisfy the access tree specified in the ciphertext. Here the private keys are not re-issued every time.

Summary

This chapter summarized on the need for the project, what the current issue is, and how it is handled with this project. Also, some project related terms have been detailed that are used in the next coming chapters. The scope and limitations are also listed in the chapter. In the

following forthcoming chapter, a brief description of the background and literature review explained.

Chapter II: Background and Review of Literature Introduction

In this chapter, the background related to the problem for which the project is a solution along with areas where analyzed to solve the problem. Reference to the analysis derived from other articles, also methodologies used in the literature.

Background Related to the Problem

Introducing bi-linear maps, give formal definitions for access structures and relevant background on Linear Secret Sharing Schemes (LSSS). Then the algorithms and security

definitions of Ciphertext-Policy Attribute-Based Encryption with identity-based user revocation. Literature Related to the Problem

According to Park (2011), the Computing service provider cannot be trusted entirely because of data security reasons, the danger of data safety and infringement of protection variables are considered. Particularly, ensuring data classification required to take care of these issues, Yu, Wang, Ren, and Lou (2010) proposed to conspire which guarantees data

classification and fine-grained get to control. Be that as it may, data secrecy which was damaged by intrigue assault of repudiated client and cloud server. To take care of this issue, ensured data secrecy by putting away and separating data document into header and body. What's more, the strategy for an assignment about the entire or fractional message as indicated by delegates' consistent quality towards delegate utilizing sort based re-encryption is determined.

According to Yang and Ziaohua (2014), Ciphertext-Policy Attribute-based Encryption (CP-ABE) is a promising strategy for getting to control of scrambled data, which requires a trusted expert to deal with every one of the characteristics and disseminates enters in the system.

In multi-specialist computing storage systems, the clients’ qualities originated from various spaces each of which is overseen by another expert. In any case, existing CP-ABE plans cannot be connected explicitly to data get to control for multi-specialist computing storage systems, because of the wastefulness of scrambling and repudiation. In this part, the proposed DAC-MACS (Data Access Control for Multi-Authority Cloud Storage), a robust and secure data get to control conspire with effective scrambling and disavowal.

According to Yu et al. (2010), Cloud computing is an arising computing model in which resources of the computing infrastructure is offered as services over the Internet. As promising as it is, this change also brings with it many new challenges for data security and access control when users outsource delicate information for sharing on cloud servers, which are not found within the same trusted domain as data owners. While trying to keep this sensitive, user data confidential from entrusted and prying servers, already existing solutions usually apply

cryptographic methods by revealing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for the primary distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-granularity, scalability, and data confidentiality of access control remains unresolved. This paper addresses this challenging open issue by, on the one hand, defining and enforcing access policies based on data attributes, and, on the contrary, allowing the data owner to delegate most of the computation tasks involved in fine-grained facts to access control to entrusted cloud servers without

disclosing the underlying data contents. This goal is achieved by putting in place the usage of techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption.

Our proposed scheme also has main properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed system is highly efficient and provably secure under existing security models.

According to Le, Yu, Zheng, Ren, and Lou (2013), Personal health record (PHR) is a rising patient-centric model of health information exchange, which is often outsourced to kept at a third-party, such as cloud providers. However, there have been grave privacy concerns as personal health information could be exposed to those third-party servers and unauthorized parties. To assure the patients' control access over to their PHRs, it is a promising method to encrypt the PHRs before outsourcing. Problems which includes risks of privacy exposure, scalability in the central management, flexible access, and efficient user revocation, have remained an essential challenge toward attaining fine-grained, cryptographically enforced data access control. In this paper, a novel patient-centric framework and group of mechanisms for facts access manipulate to PHRs saved in semi-relied on servers. To attain fine-grained and scalable data access control for PHRs, applications attribute-based encryption (ABE) strategies to encrypt every patient's PHR file. Different from preceding works in secure data outsourcing, the focus is on the multiple data owner situations and divides the users in the PHR system into numerous security domains that substantially reduces the key management complexity for owners and users. A high degree of patient privacy guaranteed simultaneously by exploiting multi-authority ABE. Our scheme additionally enables dynamic change of access policies or file attributes, supports efficient on-demand user/attribute revocation and break-glass access under emergency eventualities. Significant analytical and experimental results are represented which show the security, scalability, and efficiency of our proposed scheme.

According to Li, Yu, Ren, and Lou (2010), online personal health record (PHR) enables patients to manage their medical records in a centralized way, which greatly facilitates the storage, access, and sharing of personal health data. With the uprising of cloud computing, it is attractive for the PHR service providers to shift their PHR applications and storage into the cloud, to enjoy the elastic resources and cut the effective cost. However, by storing PHRs in the cloud, the patients lose physical control to their health data, which makes it necessary for each patient to encrypt her PHR data before uploading to the cloud servers. Under encryption, it is challenging to do fine-grained access control to PHR data in a scalable and efficient way. For each patient, the PHR data should be encrypted so that it is expandable with the number of users having access. Also, since there are multiple owners (patients) in a PHR system and every owner would encrypt her PHR files using a different set of cryptographic keys, it is essential to cut the critical distribution complexity in such multi-owner settings. Existing cryptographic enforced access control schemes are mostly designed for the single-owner scenarios.

According to Park (2011), Cloud computing service provider cannot be trusted due to data security reasons, the risk of data safety and violation of privacy factors accounted.

Especially, guaranteeing data confidentiality needed. To solve these problems, Yu et al. (2010) proposed scheme which ensures data confidentiality and fine-grained access control. However, data confidentiality violated by collision attack of revoked user and cloud server. To solve this problem, guaranteed data confidentiality by storing and dividing data file into header and body. Also, the method of selective delegation about the or partial message according to delegator’s reliability towards delegate using type-based re-encryption was specified.

As it is clear from the risks associated with cloud storage, it is paramount to direct central focus on strategic information security for cloud-stored data. Most multinational technology company, set to have many security challenges especially those emanating from cyber-attacks. Therefore, the corporations should adopt workable strategic information security by controlling the risks. These strategies involve taking adequate protection mechanisms for an information system, address the issue of the relationship between people and safety, the legal and ethical matters about security as well as employing efficient security principle that will help in control, mitigation and recovering from security threats.

Literature Related to the Methodology

A much larger organization that deals with information always working to plan on matters of risk management and safety rules they develop within their organization endeavoring to lower imminent threats to security. Due to high risks that compromise the safety, the goals of the information security have become more advanced where the security strategies need to take into the account the cloud systems, mobile platform as well as the social ecosystem (Blakley, McDermott, &Geer, 2001).

In many cases, the significance of coming up with information security strategy ignored. The plan for the security of information plays a significant role in acting as a roadmap for setting up effective security practices that are used in dealing with foreseeable future challenges (Alberts & Dorofee, 2002 cited in Li, Schucheng, Ren, & Lou, 2010). It helps corporations to meet long-term security goals through undertakings that will aid the business in a desired future condition of security. To ascertain long-term security for an organization, determining and understanding the status within the corporation and the set long-term goals for strategic security road mapping.

The backbone of an efficient information security incorporates management of risks,

classification of different types of information, policies, standards, and ways as well as employee training and communication.

For many technology companies that specialize in developing, manufacturing, licensing and selling of various computer and mobile phones’ software, personal computers, consumer electronics and provision of services to their products their first dealings concern information. Due to the increasing complexity of cyber-attacks and related impacts, the firms need to advance their information security strategies to help it in discovering, responding to and recovering from various security threats (Zhang, 2010 cited in Jung, LI, Wan, & Wan, 2015). The most effective preventive measures used by these organizations involve rigorous execution of weak remedies, configuration and transform management. As the industry of technology goes ahead to adopt mobile and cloud technology in information transformation and storage, companies should continue to improve their security control and risk management techniques and balance security threats especially those that do not coincide with needs of the business.

To successfully meet goals, an organization needs to adopt practical strategies for dealing with risks associated with information security (Humphreys, 2008 cited in Chase & Chow, 2009). The process for managing risk concentrates on providing an enterprise with a clear

understanding of risk to give room for effective decision-making in controlling information risks. The method for risk management is applied in the stages of planning and designing as well as in the following steps monitoring and review of the risk, working deployment and improving various scenes to ensure proper management of information security risks.

One of the most significant elements of information risk management involves the assessment of the risk itself (Jerman, 2008 cited in Bethencourt, Sahai, & Waters, 2013). It is essential to understand the need for the business information security and the risks that an enterprises’ assets face. Some of the most relevant activities in the assessment of information risk include identification of assets, pointing out the business and legal requirements that are significant to the established assets, assets valuation, pointing out vulnerabilities and critical threats to assets and assessing its likelihood and finally calculating the risk. Once the risk determined, it is easier to control it to make sure integrity of information.

The Microsoft Corporation has a framework for risk management called Microsoft Enterprise Risk Management Framework (ISRM) that outlines comprehensive control strategies for identifying and managing risks related to working processes and Forester adherence to the information control requirements. As a mechanism for risk management, the ISRM provide necessary guidelines to the business executives to help them in coming up with sound decisions. Such decision-making rules involve measuring the security risk of information against the goals of the business, the needs of the customers among other requirements (Spears & Barki, 2008 citred in Chase, 2013). The ISRM is very significant to the corporation as it supports the business across the range of all contemporary business situations that often affect the application,

suppliers, infrastructure and the enterprise’s security boundaries. In the same way, the new system will use this assessment technique to make sure that all the risk.

Advantages and Disadvantages of Cloud Storages

Technology is changing rapidly. It is developing at a breakneck pace globally and is taking over the way people live their lives every day. Comparing what computers used when

they were first invented, to what they are now, it is remarkable. Referring to the first computer, keywords/phrases that stand out are AOL, dial-up, big bulky computers, long loading times. Those days are long gone now with compatible new software and technology updates. Almost every household owns a computer or a device that can gain internet access. Also, there are too many locations that offer free WI-FI access to connect. This era has become so technology driven. It can even prove to improve quality of work by delivering service to users, cleverly leaves one in this chapter feeling very good about cloud computing but then encourages one to also think about its upcoming challenges. When thinking about the cybersecurity issues that are on an upward trajectory in our society or the digital divide that has our nation in an endless path, one cannot help but worry. Cybersecurity will always be an issue in this state. If one has a

password, someone will be able to hack it. It is as if one has the lock, somehow someone will get the key or pick one lock. However, with cloud computing, that threat appears are less likely to occur, however, should not rule out that option. Cloud computing in governments would be much more efficient in the sense of hacking and cybersecurity. Why would one want to have private and confidential data on access to everybody who can get entry to that computer/device? Why not enlist in the cloud computing software that enables to secure data with a password and permits access to get that data on any device that can gain internet access. The days had gone when personal data stored on computer’s hard drive. Cloud storage is the solution to the ever-present need for all digital property storage. Cloud storage is an alternate to buy new hard disks and deleting old files to create space. It is convenient and cost-effective. Cloud storage stores data on a server and not local hard drive. It helps in having back up, sync and access to the data on all possible devices that have an internet connection.

What it feels like an excellent way to track personal information. At the same time, It also feels that the mobiles today are so high-end that they have enormous storage capacity inbuilt. Music, photos, and document. The request line which has a command, target source, name, protocol name, version number. The request headers are file type information client accepts. The sovereign entity body passes bulk information to the server.

Two crucial measures of performance of a website are Some visitors: The several times a webpage browsed for indicates the usefulness and informative feature of the site. Ease of

function: The ease at which the people can browse and navigate is another essential characteristic. The sites are user-friendly. The appeal of cloud computing is that it is cost-effective. It allows companies to take advantage of software without having to install any hardware (Jung et al., 2015). Users do not need to make upgrades to the system or reconfigure their servers; the vendor of the software manages all the software changes. Storing data can get expensive quick, just look at the different prices for iPhones based on how many gigabytes of space they have. More data means more storage and more money spent. They pay for the servers and infrastructure to support those servers and pay a monthly access fee for a desired amount of space.

As defined before, cloud storage is more of a service where the data stored is done in a remote-like manner, making access to the same a cause of concern. By allowing a variety of hosts to store data in their systems online, the system is continuously at a risk of being hacked, thus making security a primary concern for such systems that offer. The advantages of the same outweigh the disadvantages, making the use of the system advantageous. For most businesses, the ability to access saved files anytime is a competitive business advantage, making high cloud

adoption go to option to most companies (Yu et al., 2010). In this regard, most of the reasons that make cloud-based systems to get full recognition in firms include usability where the users have the ease of dragging the files they need into their local storages.

For this reason, the user can take any data they need from one place to the other in the absence of searching for the same. When it comes to sending data, usability makes the same easy. In this regard, bandwidth enabled. The user can post a web link over the net, reducing risks of losing data, mainly when the data is confidential. The potential for cybercrime is thus

decreasing thanks to reducing the rewards for hacking. Cloud storage is also accessible. For this reason, the user can use the saved data anywhere, provided there be a steady internet connection.

The framework promotes the evolution of the culture of risk awareness hence improving accountability throughout an organization by implanting risk management processes for

stakeholders across the enterprise. Apart from risk management in the organization, the

framework plays a critical role in controlling the Risk Management Council which is a body put in place by various agencies in charge of the firms’ information security. It also guides the company’s Enterprise Business Continuity Management program that helps recovery and resilience guidance and the most effective practices that are adopted by stakeholders for

protecting various assets and processes within the organization events a disaster. The ISRM also provides guidelines for compliance and streamlined risk framework that aids organizations in ascertaining that they have put in place effective policies to help the company to comply with the government regulations and industry standards. Other importance of the ISRM includes

educating and creating awareness within the employees in the organization through targeted education and broad campaign. Finally, the framework influence behavior changes within the

company’s employees by proactively highlighting on significant security issues, risks, and threats that originate from people taking part in activities that may have an adverse impact on the enterprise.

The rapid transformation in the information technology sector calls that organization invests more in cybersecurity technology to protect their computing resources from the growing threat landscape (Stoneburner, Goguen, & Feringa, 2002). In achieving this, companies

concentrate on prioritizing and evaluating purchases, acquisitions and the future capacities to implement. Through the ISRM framework, the company employs both technical and procedural controls alongside best practices to provide security services to the firm. Some of the essential elements that organizations place priority on include evaluating and carrying out research on upcoming technologies and threats associated with them such as cloud storage. The companies also adopt systematic procedure used to determine the priority of security investment. Efficient protection mechanism should employ different efficient access control processes such as

authorization, authentication and the most recent development of using biometric access control. Authentication mechanism involves verification of the claimed identity of the user of any system. This type of protection method helps in preventing access to information by

unauthorized people by ascertaining that the user is in communication with the planned system. This mechanism works by requesting a match to a known element of the user and something else that is owned by the requester (). The most common method of authentication mechanism used by most cloud systems is a password to allow access to various information by authorized people.

Mass storage forms the basis for creating the cloud-based system, giving the same the ability to store data as backup. For reasons of backups, the same can act as a bank of information by storing relevant data in remote files, only accessible via the internet. Thus, disaster recovery is an added advantage for any business system. Regarding ground space, the data saved up in the cloud storage also saves on storage space in the office and libraries where the files or books are in the same cloud storage. This advantage goes a long way in protecting any area in the offices that are used for saving data physically.

On the other hand, one advantage that overweight the others is the cost saved by using any cloud-based system. Under this consideration, the cost of maintaining any physical files systems eliminated by utilizing these systems. Due to the ease of access, the systems make business management cheaper compared to having physical systems. One main advantage of the cost is a reduction in cases of confidential cases which are vulnerable in an office setting. With the online storage system, the access to the same is reduced by allowing access to the users. Constant changing of passwords made possible by most systems encrypted makes the system more secure.

Before discussing the disadvantage, creating a foundation by considering the broad applications cloud computing has, an understanding of the advantages of hammered home. For starters, the applications of cloud computing are limitless. One must consider the middleware where the right middleware means that any cloud computing can almost do any one task that computer can run. It implies that almost anything including generic word processing software to use for customized computer programming is compatible with the right cloud-based computing systems associated with cloud storage neutralized.

Applications of a Cloud-Based Computing System

Various applications of the same cloud-based system increase the advantages of having the system installed. For this reason, the clients can use the data and even applications from anywhere they are. In this regard, the cloud-based system is convenient as it increased ease of accessibility. The only one need is the availability of internet connections to enable the access. The costs of hardware are also drastically reduced. This consideration is because the cloud computing applications used to execute all programs just like the standard desktop or laptop would. Thus, the need for external hardware and peripheral devices have eliminated the use of the complete system. The necessity of the hard drive is also reduced since the cloud can store data.

For corporations, the cloud software provides the client and the company with a similar platform to interact, eliminating the need to buy other computers to match the numbers of users. The shared pool created provides all the clients with the available means of access to the same, making its use more accessible and prudent. For most corporations, the elimination of such excessive hardware is proper since it eases on finances. Investing in equipment is also seen as outpaced since the technology changes rapidly over time.

Concerns Regarding Cloud Computing

The most significant worries over Cloud Computing are security and privacy. The idea of passing valuable data to another company worries some people. Corporate executives might hesitate on the use of cloud computing system because they cannot keep their business's information safe.

The counterarguments to this place are that the companies that are offering cloud

computing services live and die by their reputations. It benefits these businesses to have reliable security measures in place. Otherwise, the service would lose all its clients. It is in their interest to use the most advanced techniques to protect their customers' data.

Some questions about cloud computing are philosophical; Does the user or company subscribing to the cloud computing service have the data? Does the cloud computing system, which provides the real storage space, own it? Is it possible for a cloud computing company to deny a client access to that client's data? Several companies, law firms, and universities are debating these and other questions about the nature of cloud computing.

How will cloud computing affect other industries? There's a concern in the information technology sector about how cloud computing will affect the business of computer maintenance and repair. If companies switch to using streamlined computer systems, they will have fewer IT needs. Some industry experts believe that the need for IT jobs will deviant to the back-end of the cloud computing system.

Another research area in the computer science community is autonomic computing. The autonomic computing system is self-managing, which means the system monitors take measures to prevent or repair problems. Currently, autonomic computing is mostly theoretical. However, if autonomic computing becomes a reality, it could cut the need for many IT maintenance jobs.

Privacy is a different matter. If a client can log in from any place to use data and applications, the customer's privacy might be compromised. Cloud computing companies will need to find ways to protect client confidentiality (Whitman & Mattord, 2011). One way is touse

authentication techniques such as usernames and passwords. Another is to use an authorization format -- each user can use only the data and applications relevant to his or her job.

Another form of protection mechanism is authorization that involves providing users access to specific objects. A user can use certain information by having his specification among the people allowed the access. This kind of protection may involve the use of some ticket to such as a coded card that can be interpreted by a machine to let access. Finally, is the use of biometric technology to allow access to information. This system provides access by comparing the users’ details and biometric properties as detected by a machine. It is one of the most efficient methods of information security as people have different and unique biometric properties hence having minimal chances of making an error (Jain, Ross, & Pankanti, 2006). It is, therefore, paramount for an organization to choose the best protection mechanism depending on the situation to make sure information security.

There has been a significant turnover of employees in organizations dealing with information systems due to the dynamic nature of professions and safety information itself (Karabacak & Sogukpinar, 2005). Turnovers of security and policy specialists can lead to adverse losses of crucial information. In the recent years, the image of the corporate to people has gone through a remarkable transformation. The information security professions and the information system play a critical role in data integrity and the overall success of an

organization. The information technology industry depends significantly on the high need for total security, confidentiality and personal ethics (Karabacak & Sogukpinar, 2005). The reputation of a firm might be ruined if its procedure of information security viewed as unsatisfactory or inadequate. The advancement in technology makes it easier to breach the

integrity of information and is very difficult to identify. For instance, security and innovation secrets can be easily transferred from one organization to another when personnel leaves from one company to another. It is, therefore, very significant for a corporation to be very keen on retaining and improving its employees’ skills to lower this condition.

Therefore, it is essential for organizations to realize that for the company to lower risks and improve security across the firm, it must place its priority on people who are the most valuable assets that can help the enterprise meet its diverse goals. The corporations strategically leverage a mix of drive innovation, full-time employees, and proper management of services offered across the globe to achieve its aims and objectives. As a strategy, the company seeks to employee top information security and risk managers. In strengthening the ability of its people, the firm determines to keep talents in for managing information security by conducting various events to improve its employees’ skills such as strategic job orientation, on-job-training,

leadership as well as technical training. Every employee in the firm comes up with and maintains a professional advancement program paying particular attention to specific development

requirements. With specific programs, employees can improve their skills hence their

performance (Bulgurcu, Cavusoglu, & Benbasat, 2010). Also to promote on the workability of its employees, the organization hosts various security competition to improve awareness on matters about information security. Besides, Microsoft also funds some of its executive

employees to take part in graduate information security courses as a way of adequately equipping them with necessary skills of dealing with dealing information security issues within the

Amazon also employs the principle of data encryption to make sure data security in its cloud. Vormetric Data Security provides data security in Amazon’s cloud through data

encryption (Vormetric, 2011). According to Vormetric (2011), clients using the Amazon

computing cloud can control and protect their private data through encryption. Robust encryption and flexible key management Vormetric offered for Amazon ensures that both structured and unstructured data in Amazon cloud is secure (Vormetric, 2011). As such, clients using Amazon cloud computing can confidently store and search for files and database in the cloud.

Establishment and maintenance of physical security of data storage centers are also necessary to make sure secure data storage in the cloud is safe. Moreover, it is essential that data stored in the cloud be protected from accidental loss especially when there is a breakdown of facilities and infrastructure. According to Infosecurity (2010), Google ensures that security enhanced at data centers to avoid any possible attack and access to the data. For instance, data stored in the government cloud, GovCloud, is usually stored in secure United States servers. Moreover, data in Google clouds are stored in different data centers to make sure that data is always safe and available even in cases of emergency..

Furthermore, one may look forward to such avenues as negotiating terms with their cloud provider and having the cloud provider give them their security and compliance requirements (Mishra, Mishra, & Tripathy, 2011). When looking at the broader picture, there are many reasons why an organization needs to secure an EMR system.

In today’s world of the computer, the internet and e-commerce, security play a big part (Whitman & Mattord, 2011). Technology has come with increased crime hence necessitating the need for a legal and ethical framework to promote information security. Laws, therefore have

become necessary to protect those facing the security threat of data integrity. A significant part of the information and computer security in the contemporary world connected to the internet, and since there are no geographic boundaries in the internet, legal measures are very critical of guiding practices within the sector (Rees, Bandyopadhyay, & Spafford, 2003). Laws and statutes related to computer and information have a direct impact on the information security of a

particular organization. They detect how the intrusion of computer security dealt with and investigated as well as giving the type of evidence to prosecute perpetrators of computer

information security crimes (Jain et al., 2006). An organization’s security policies much rely on the type of laws on the ground.

Cloud computing is becoming one of the critical words of the IT industry. The cloud is a metaphor for the Internet or infrastructure of communication between the architectural

components, based on an abstraction that hides the complexity of infrastructure. Each part of this infrastructure behaves as a service, and allocated in data centers, using hardware shared storage

and computing (Buyya, Yeo, Venugopal, Brogerg, & Brandic, 2009). To use the service, users need only take their machine operating system, browser and Internet access. All computing resources are available on the Internet. Therefore, the user’s machinery does not need to have high computational resources. As a result, reducing the cost of the acquisition the system.

The goal of Utility Computing is to give the building blocks such as storage, CPU, and bandwidth of a network through specialized providers with a lesser cost per unit used. Users of services based on Utility Computing do not have to worry about scalability because the storage capacity provided is practically endless.

Another significant element of information security is vast ethnic corporations such as Microsoft as well as other systems that keep massive data deal with vast expanses of the internet, a domain with no cultural, national or geographic boundaries. Since cloud storage technology involves diversified information from diverse communities around the globe, with different beliefs and values, the company needs to embrace certain etiquette and responsibility when dealing with data to promote security.

Due to the diversity and complexity of various societies around the world, it is

challenging to come up with laws that are acceptable to all organizations. Unlike statutes, ethics are fair and will not be imposed on people. Different people may have different ethical beliefs. It is, therefore, crucial for an organization to set social standards that will detect individual’s interaction with information within the firm.

Many organizations have thus established expected behavior codes that it encourages its stakeholders to abide by. The ethical standards work hand in hand with the laws to define the due behavior at work to promote information security. These moral codes involve the element of privacy, confidentiality, and respect for personal space. The companies also conduct educative effects to educate its employees on the acceptable ethical laws at work as a way of promoting information security.

Intelligence software such as the PRT network can play a crucial role in promoting safety in cloud storage. The PRT network is an easy to install and use program that helps in monitoring one’s system. The software supports the automatic recognition of network and gives alerts when there is an intrusion into one’s network. Through the network, one can trace his historic network performance hence provides an opportunity for change and adapting to new condition. It also

notifies on the shortcomings of a system. Through the software, one can see all people who tried to use their network hence gives them an opportunity to prevent adverse outcomes of information insecurity.

Based on the literature analysis in this section, for a large corporation dealing with information systems, their success is primarily based on the security of information. As it has been clear, the company that uses cloud storage has made a remarkable effort in promoting information security through paying attention to various critical factors that include controlling of risks, protection mechanism, laws, and ethics and their relationship to safety and

organizational people and security. Among the four factors, many organizations have achieved excellent performance on the controlling of risks and staff and security. There is also a

significant response to other elements. However, most agencies should make a few adjustment and improvement to meet absolute information security. First, they should carefully choose employees by not only considering technical skills but personal integrity too. They should also create an environment that helps in promoting moral, loyalty and job satisfaction to lower employees’ turnover who can adversely affect information security. Furthermore, they should also regularly remind their employees of their responsibility of promoting information integrity and protect the secrets of the trade appropriately as employees can transfer essential and

confidential information to other parties including competitors hence impacting the business operation of the company. Finally, the organizations should also take defensive actions when discharging an employee for whether because of their undoing or as a strategy of cost reduction. Such workers are not allowed to get access to the sensor system with significant information until they leave the business premises. Any security strategies such as passwords used by the

discharged employee must be changed. With proper strategic information security, the organizations utilizing the cloud storage technology will be able to protect their data integrity hence promote their performance in the market. Many useful solutions come into picture by this research to cut the threats to data integrity. Many approaches come in to picture to assure the data integrity of cloud storage system. Ensuring information storage security in cloud computing by Wang, Wang, Li, Ren, and Lou (2009) proposed a verification scheme for public

verifiability and data efficient operations and enhanced the POR model by changing the classic Merkle Hash Tree (MHT) construction for block tag authentication.

According to the ACM security issues which introduced a flexible and efficient way of the distributed method which meets the combined approach of storage correctness assurance and supported efficient dynamic operations on data blocks along with and data error localization in the distributed verification of erasure-coded cloud data.

Summary

This chapter details the background related to the problem which is the scope of this project. Also refers to the literature assigned to find the problem and various other literature references to see the possible solution with this project. The next chapter details security aspects of cloud. Applications of data sharing in Cloud. Different types of clouds and the service

Chapter III: Data Breach in Cloud Introduction

This chapter enumerates details on the different ways the data could be breached in the cloud. Access to unlimited resources makes it easy for the attackers to crack the security protocols and all the encryption algorithms deployed on the cloud server. Some ways to breach in the privacy and security in the cloud is detailed in the chapter. Also in this chapter motives of an attacker will be discussed.

Types of Attacks

There are many ways in which the security and privacy of cloud can be breached, they are:

▪ Embedded Signature XML Attacks: There are different ways in which XML signature wrapping attacks using which one can completely override the

administrative rights of the Cloud user thereby manipulating user data by creating, deleting or duplicating user instances.

▪ Attacks using Cross Site Scripting: Attackers use injection a piece of code injected into web applications to override all access control mechanisms. Amazon Web Services evidently proved the XSS attack. Attackers could gain free access to all customer data, authentication data, tokens as well as plaintext passwords.

▪ Flooding Attack Problem: Attacker can send multiple anonymous bogus requests to the Cloud and easily overload the server. This attack will increase the workload of the cloud server and result in data loss.

▪ Denial-of-Service Attacks: Attacker deploys malicious code in the browser of the user which results in opening multiple browsers thereby producing the in denial of user’s privileged access to services.

▪ Law Enforcement Requests: Cases in which FBI or government demands a Cloud Service Provider rights to use its data, the Service Provider is least likely to deny them. Hence, an inherent threat to user privacy and confidentiality of data.

▪ Problem with Data Stealing: Different methods used by the attacker to steal user account and password via brute-force attacks or over-the-shoulder techniques. The privacy and confidentiality of user’s data will be severely breached. It’s better to add more significant values while authenticating the user to avoid the breach. This substantial value or extra value is distributed to the user via SMS or email thereby mitigating the likelihood of data confidentiality issues.

Motives of an Attacker

There are many kinds of literature on securing a system against attackers, not much attention invested in the types of attackers and their motivations for carrying out such attacks. Both types of attack and the nature of attackers depend on the motive of the attacker. The following has some examples.

▪ Stealing valuable data: Hackers take data stored on the internet worth millions of dollars. With access to such useful data, they can then generate revenue, promote terrorism.

▪ To cause controversy: Attackers find amusing exploiting the data of the users stored in cloud thereby creating chaos and users suffer from their identity stolen and data breached.

▪ To get revenge: Organizations who strip their employees of their rights may express dissatisfaction by hacking the organization’s network. When an organization makes use of the Cloud, this becomes all too easy for the former employee, and there have been many cases of this happening in the real world. For instance, there was the case of a former employee who managed to get access to the Cloud provider’s server and deleted an entire season of a children’s TV show (Li et al., 2013).

▪ To help: Sometimes organization hires hacker to find and analyze the laws in their security framework. The hacker may misuse the opportunity and plant a bot in the organization’s network thereby leaving the privacy of the organization at the attacker’s will.

▪ To gain prestige: Attackers show off their skills and earn fame by socially able to hack a large organization with stable security mechanisms. Hackers make it profession breaching large agencies.

▪ Curiosity: Some attackers are curious to learn something about an organization. These attackers even though have no intention to exploit the organization’s assets, but they leave the organization's security framework vulnerable for other attackers to breach and use.

Guidelines for Privacy and Security in Cloud The following are the impacts of Cloud:

▪ Governance. Every organization has their own set of standards, practices, protocols, policies, and ways to which every employee must abide by, and this can cover application development, testing, implementation, monitoring and so on. An organization based on Cloud services don’t have proper rules and guidelines established for their employees thereby the employee unknowingly bypasses the standards required to support privacy and security of the Cloud Services.

▪ Compliance. This refers to set of established regulations, rules, guidelines which define the number of privacy and security laws within different countries, states, and so on. These rules followed by all the employees of the organization to avoid the breach and maintain the privacy of data since the data deployed on servers spread across multiple locations without the knowledge of the user.

▪ Trust. The Cloud Services Provides must make sure the trust placed by the

organization is not broken. The cloud services providers have to make sure proper authentication protocols used to protect the corporation's data and all the cloud service provider employees must comply with their organization rules and prevent a data breach.

▪ Architecture. Cloud architecture designed must make sure provides privacy and security. For instance, IaaS Cloud providers (Li et al., 2013) can give Virtual Machine Images to consumers. Organizations which use these images store very critical data. Attackers may look at these pictures to leak information. Attackers supply a corrupted virtual machine image to users thereby breaching the user’s confidential data. It is essential that the architecture of the Cloud designed in such a

way that it ensures privacy and security. Attackers are always on the lookout for security holes in Cloud architecture.

▪ Identity and Access Management. Apart from data sensitivity, privacy is a crucial aspect of cloud access. Current status and authorization framework for cloud access are stable but vulnerable to the insider’s attack at the same time.

▪ Software Isolation. Multi-Tenant Cloud computing architectures, computations for different consumers executed in isolation even though the software remains in a single software stack. Applications in Cloud are susceptible to attack and quickly compromised, so isolation required to prevent such attacks.

▪ Data Protection. Data stored in cloud server is shared by many organizations. Some data is organization specific. Proper encryption logics are used to avoid data breach and loss of data. These data losses usually happen in data transit.

▪ Availability. As defined in the NIST Security and Privacy Guidelines [12],

availability is the limit to which an organization’s full set of computational resources is accessible and usable. Attacks such as Denial-of-Service attacks, server downtime, natural disasters affect the availability and can modify stored data and more

importantly causes vulnerability to organizations data during events like server downtime.

▪ Incident Response. An organized method of dealing with the consequences a security attack. Cloud application has many layers such as application, operating system, network, database and so on. Event logs generated to record intrusion detection. The

complex layers and architecture consumer hours of debugging to find an attack in the Cloud.

Secure Data Sharing in Cloud and its Importance

Data in the cloud can be accessed by anyone from anywhere using any device across the planet. The organization finds this profitable since by just making their data available in the cloud they can charge customers for using their data and services irrespective of the location. With these advanced uses, there are disadvantages when it comes to privacy and security while data sharing.

Users love to share data across friend, colleagues, family thereby sharing their every instance of lives. The benefits of data sharing are listed below:

▪ Higher productivity: Organizations, Businesses get most of their work done by outsourcing, and this approach helps them in collaborating with their peers

efficiently, finally satisfying their key to business goals. Hospitals benefit from data sharing resulting in gradual decrease of Medicare costs and access to more medicines available in different locations. Students benefit working on group projects thereby expanding their horizon to a more significant knowledge base.

▪ Limitless fun: Social networking channels like Facebook, Twitter, Instagram has brought a revolution in the daily living of an individual. It has enabled the ability to express and share the feelings and experiences every moment with friends and family. These applications help in socializing, marketing, business and other enormous uses which help the users to live life limitlessly. Using these apps gives limitless power to share data, access to unlimited resources.

▪ Promote and support opinions: People share information with the world to voice an opinion. People these days want to be heard, and social networking sites enable them in promoting their view, which was not possible without forming protests. Social networking sites such as Facebook, Twitter and YouTube are being used to raise awareness about real issues in the world. Some campaigns have led to violent protests, but the motive of online campaigns is to inform people of problems and encourage people to fight for a cause.

Elements of Data Sharing in Cloud

Enabling data sharing in the Cloud is essential that only authenticated users get access to data stored in the Cloud. Following is a summary of the ideal requirements of data sharing in the Cloud.

Data owner should specify a group of users that who can get access to his/her data. Members of the team should gain access to the data anytime without the data owner’s

intervention. User unauthenticated and not a member of the data owner’s group should never gain access to the data, including the details Cloud Service Provider. All the grant and revoke privileges are with data owner and able to withdraw access to data for any member of the group. The data owner can add members to the team. No other member of the group can revoke rights of other members of the group or join new users to the group without the data owner’s

permission. Data owner specifies all the data manipulation permissions like read or write on the data owner’s files.

Now let us look at the privacy and security need of data sharing in the Cloud. Achieving the requirements in the Cloud architecture depends on how many users involve adopting and embracing Cloud technology.

▪ Data confidentiality: Unauthenticated/malicious users should not get access to data at any given time. Confidentiality of data must remain intact in transit, at rest and on backup media. Access to information only by the authenticated user.

▪ User revocation: Revoked access rights to data for a user means he is no longer able to do read/write operations on the data and the dismissal should not affect other authorized users in the group for efficiency purposes.

▪ Scalable and efficient: Data stored in the cloud accessible by multiple users at the same instant. Cloud application must efficiently find the authenticated users, and it is operationally scalable.

▪ Collusion between entities: Data sharing methodologies might result in data collision in some instances which might expose data of different user groups. Cloud

application must make sure that in situations of data collisions unauthenticated user must not get access to the data they are not privileged to access.

Key Management in the Cloud

Key management operations use key except encryption and decryption (Li et al., 2010) and includes creation/deletion of keys, activation/deactivation of keys, transportation of keys, storage of keys. The basic key encryption schemes for most cloud service providers to protect the data or sometimes leave it to the user to encrypt their own data.

There is always a need to encrypt data stored in Cloud. The challenges are how doing to handle the keys for encryption? Where should the keys be stored and who has access to those keys? How do to recover data if keys are lost? Encryption and key management are very important to help secure applications and data stored in the Cloud. With the advanced

capabilities of Cloud providers there is indefinite need to adopt a robust key management scheme for their services. There are three ways Key Management can be effective:

▪ Securing key stores: The key stores is where the keys stored and created so high security protocols implanted in the key stores to protect them from malicious users. Gaining access to key means gaining the lead to the encrypted data associated to that key. Hence the key stores themselves are protected in storage, in transit and on backup media.

▪ Access to key stores: Access to the key stores limited to the users that have the rights to get access to data. Role authentication protocols to help control access. Key creation storing and retrieval owned by different entities with this approach the management becomes easy and in events of intrusion the cause to find and terminated quickly.

▪ Key backup and recoverability: Loosing a key means losing all the data associated to that key. Keys storage and backup solutions designed carefully. In case of events where keys destroyed there must be recovery options placed so that data associated to that key is retrieved and again a new key is generated to encrypt the data.

Types of Cloud

Cloud Computing has resulted in a significant workload shift wherein the local computers no longer need to run all the cumbersome processes instead of the series of computers connected on a network that forms a clod will handle all the heavy lifting. This application of cloud

computing reduces the demand for the hardware and software’s employed at users end. User's computer able to run a Web Browser which is a cloud computing systems interface software and the rest handled. Three common types of clouds available are the Private, Public and Hybrid cloud.

Cloud setup and accessed over a private and secured intranet within an organization where only choose a pool of resources to share, store and retrieve data from Cloud. This kind of setup within a corporation owned and controlled by IT organizations is a Private Cloud. The cloud computing business model (Bethencourt et al., 2013) bought and managed in-house to enable shared IT services. The domain where the public Internet accesses cloud services is a Public Cloud. These are third-party cloud service providers who give their services for the interest of the public. Some examples include Salesforce.com, Google App Engine and Google search, Microsoft Azure, and Amazon Web services such as EC2. A Hybrid cloud consists of private and public clouds, where services from each domain consumed in an integrated fashion and include an extended relationship with the selected external service providers. It is imagined as an organization who have their private cloud but also depend on the data available on third-party vendors public cloud to integrate their services with the public data.

Service Models for Cloud Computing

The different cloud computing service models derived based on Private and Public Clouds implementations. Currently, the industry has been successfully adopting three common types of cloud computing service models.

Infrastructure as a Service (IaaS), is a service model around server’s storage capacity, and network bandwidth. Examples include Amazon EC2 and S3, Rackspace, AT&T, and Verizon. Typical things businesses do with IaaS include:

▪ Test and development. This mode of operation is where before launching an application there are phases in which development and testing complete. It is an iterative cycle that runs at the same time. Website hosting. Traditional website hosting platforms are expensive using IaaS it is cost efficient and time efficient.

▪ Storage, backup, and recovery. Organizations most significant challenge is

maintaining the privacy of its customer’s data and meeting the legal requirements at the same time handling the growing need for storage. IaaS is useful for controlling unpredictable demand and steadily growing storage needs. It also simplifies planning and provides flexibility in managing and designing backup and recovery systems.

▪ Web apps. Infrastructures of IaaS supports web apps, including storage, web and application servers, and networking resources. The organization can deploy web apps quickly. IaaS easily scale infrastructure up and down when demand for the apps is unpredictable.

▪ High-performance computing. Complex problems like calculating probabilities of an earthquake and protein folding simulations, climate and weather predictions, financial